Further research into how the Stuxnet worm operates lends more credence to the …

Share this story

A new report appears to add fuel to suspicions that the Stuxnet superworm was responsible for sabotaging centrifuges at a uranium enrichment plant in Iran.

The report, released Thursday by the Institute for Science and International Security (ISIS), indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware match exactly several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally. Failure to operate at those frequencies leave them at risk of breaking down and flying apart.

The frequencies of the Natanz rotors were apparently not a secret and were disclosed to ISIS in mid-2008 — the earliest samples of Stuxnet code found so far date back to June 2009, a year after ISIS learned about the frequencies. They were disclosed to ISIS by “an official from a government that closely tracks Iran’s centrifuge program.”

The unnamed government official told ISIS that the nominal frequency for the IR-1 centrifuges at Natanz was 1064Hz, but that Iran kept the actual frequency of the centrifuges lower to reduce breakage. According to another source, Iran often ran its centrifuges at 1007Hz.

The information would have been gold to someone looking to sabotage the centrifuges since, as ISIS notes, it provided both confirmation that Iran’s centrifuges were prone to an unusual amount of breakage and that they were subject to breakage at a specific frequency of rotation.

Stuxnet was discovered last June by a Belarus security firm, which found samples of the code on computers belonging to an unnamed client in Iran. The sophisticated code was designed to sabotage specific components used with an industrial control system made by the German firm Siemens, but only if these components were installed in a particular configuration. The unique configuration Stuxnet seeks is believed to exist at Natanz and possibly other unknown nuclear facilities in Iran.

After German researcher Ralph Langner first posited that Stuxnet’s target was Iran’s nuclear power plant in Bushehr, Iranian President Mahmoud Ahmadinejad acknowledged that Stuxnet affected personal computers belonging to workers at the plant but maintained that the plant’s operations were not affected by the malware. However, in November, he announced that unspecified malicious software sent by western enemies had affected Iran’s centrifuges at its Natanz plant and “succeeded in creating problems for a limited number of our centrifuges.” He did not mention Stuxnet by name.

It’s known that between November 2009 and February 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges at its Natanz plant. It’s not known if this was due to Stuxnet or due to a manufacturing defect or some other cause, but the ISIS report increases plausibility that Stuxnet could have played a role in their demise.

According to an examination of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights. Once it finds itself on the targeted system, depending on how many frequency converters from each company are present on that system, Stuxnet undertakes two courses of action to alter the speed of rotors being controlled by the converters. In one of these courses of action, Stuxnet begins with a nominal frequency of 1064Hz—which matches the known nominal frequency at Natanz but is above the 1007Hz that Natanz is said to operate—then reduces the frequency for a short while before returning it back to 1064Hz.

In another attack sequence, Stuxnet instructs the speed to increase to 1410Hz, which is “very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically,” according to the ISIS report, which was written by ISIS President David Albright and colleagues.

“The rotor tube of the IR-1 centrifuge is made from high strength aluminum and has a maximum tangential speed of about 440-450 meters per second, or 1,400-1,432Hz, respectively,” according to ISIS. “As a result, if the frequency of the rotor increased to 1410Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level.”

ISIS doesn’t say how long the frequency needs to be at 1410Hz before the rotor reaches the tangential speed at which it would break apart, but within 15 minutes after instructing the frequency to increase, Stuxnet returns the frequency to its nominal 1064Hz level. Nothing else happens for 27 days, at which point a second attack sequence kicks in that reduces the frequency to 2Hz, which lasts for 50 minutes before the frequency is restored to 1064Hz. Another 27 days pass, and the first attack sequence launches again, increasing the frequency to 1410Hz, followed 27 days later by a reduction to 2Hz.

Stuxnet disguises all of this activity by sending commands to shut off warning and safety controls that would normally alert plant operators to the frequency changes.

ISIS notes that the Stuxnet commands don’t guarantee destruction of centrifuges. The length of the frequency changes may be designed simply to disrupt operations at the plant without breaking rotors outright, and the plant could conceivably have secondary control systems in place to protect centrifuges and that are not affected by Stuxnet’s malicious commands.

There are still a lot of unanswered questions about both Stuxnet and the Natanz facility.

ISIS notes that it could not confirm the brand of frequency converters used at Natanz in order to determine if they are the ones that Stuxnet targets. Iran is known to have obtained frequency converters from a variety of suppliers, including ones in Germany and in Turkey. The New York Times reported last January that a foreign intelligence operation had aimed at sabotaging “individual power units that Iran bought in Turkey” for its centrifuge program. The ISIS authors say these “power units” are believed to have been frequency converters Iran obtained from Turkey.

If Stuxnet was indeed aimed at Natanz, and if its goal was to quickly destroy all of the centrifuges at Natanz, ISIS notes that it failed at this task.

“But if the goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily,” according to the report.

The authors close their report with a warning to governments using tools like Stuxnet that “could open the door to future national security risks or adversely and unintentionally affect US allies.”

“Countries hostile to the United States may feel justified in launching their own attacks against US facilities, perhaps even using a modified Stuxnet code,” they write. “Such an attack could shut down large portions of national power grids or other critical infrastructure using malware designed to target critical components inside a major system, causing a national emergency.”